ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT106
  • Created: 14th December 2024
  • Updated: 14th December 2024
  • Contributor: Joshua Beaman

Microsoft Entra ID Privileged Identity Management Resource Audit

Within the Microsoft Entra admin center, the Resource audit can be reviewed to identify PIM elevations for users, including key information such as the requestor user, subject user, action, domain, and primary target (role assigned/removed). This can aid investigators by providing an audit trail for PIM elevations and the duration for which an eligible role was attached to a user account.

 

The following URL can be used to view this activity log, provided the investigator's account has the Privileged Role Administrator role assigned, or a role with higher privileges: https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ResourceMenuBlade/~/Audit/resourceId//resourceType/tenant/provider/aadroles

Sections

ID Name Description
PR024Increase Privileges

A subject uses a mechanism to increase or add privileges assigned to a user account under their control. This enables them to access systems, services, or data that is not possible with their standard permissions.

PR018Circumventing Security Controls

A subject abuses their access or conducts unapproved changes to circumvent host-based security controls.

IF011Providing Access to a Unauthorized Third Party

A subject intentionally provides system or data access to a third party that is not authorized to access it.

PR015.004Bulk Email Collection

A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information.

ME024.002Access to Privileged Groups and Non-User Accounts

A subject with access to privileged groups (e.g., Domain Admins, Enterprise Admins, or Security Groups) or non-user accounts (such as service accounts, application identities, or shared mailboxes) gains elevated control over systems, applications, and sensitive organizational data. Access to these groups or accounts often provides the subject with knowledge of security configurations, user roles, and potentially unmonitored or sensitive activities that occur within the system.

 

Shared mailboxes, in particular, are valuable targets. These mailboxes are often used for group communication across departments or functions, containing sensitive or confidential information, such as internal discussions on financials, strategic plans, or employee data. A subject with access to shared mailboxes can gather intelligence from ongoing conversations, identify targets for further exploitation, or exfiltrate sensitive data without raising immediate suspicion. These mailboxes may also bypass some security filters, as their contents are typically considered routine and may not be closely monitored.

 

Access to privileged accounts and shared mailboxes also allows subjects to escalate privileges, alter system configurations, access secure data repositories, or manipulate security settings, making it easier to both conduct malicious activities and cover their tracks. Moreover, service and application accounts often have broader access rights across systems or environments than typical user accounts and are frequently excluded from standard monitoring protocols, offering potential pathways for undetected exfiltration or malicious action.

 

This elevated access gives subjects insight into critical system operations and internal communications, such as unencrypted data flows or internal vulnerabilities. This knowledge not only heightens their potential for malicious conduct but can also make them a target for external threat actors seeking to exploit this elevated access.